OpenSSL 1.0.0 issue

Hi,

I use the BOINC client, and am a contributor to the World Community Grid project on my Archlinux computer, but a few days ago (around september 7th), I was suddenly unable to download any new tasks for my BOINC client. Thinking it might be BOINC-related, or even WCG-related, I went on to the WCG forums where it appeared that the problem was Archlinux-related, and more specifically openssl-related. Since there's only two of us experiencing this problem and reporting it, it might be just a strike of luck though...

What we worked out so far on the WCG forums: the trouble seem to have appeared around september 7th, around which time a cache corruption seems to have appeared in WCG servers. The cache was cleared around september 10, but the issue persisted for Archlinux user.

Moving libssl.so.1.0.0 and libcrypto.so.1.0.0 to another place, and making symliks to their 0.9.8 counterpart solved the issue. Though i'm not a strong fan of symlinking, since it's usually just a lot more trouble down the road...

So my questions are these: 1) is there any tweaking done on Archlinux part to those openssl lib that might explain why we seem to be the only distribution having this problem ? And if so, would I be able to get a more "vanilla" version using makepkg ?2) Is there any way I could force BOINC to use the older version of those libs, while not making a system-wide change like would happen with symlinks ?

Thanks to anyone who will be able to provide any help on the matter.

[EDIT] I'll add that my system is kept regularly up-to-date, and that no major update was done on my part around the date where things broke. My system is also up-to-date as of now, and I've tried reinstalling openssl, to no avail.[EDIT2] I'll also add that my connection to the internet is wired, so it's most definitely not the reported problem about the wireless driver.

Re: OpenSSL 1.0.0 issue

brebs wrote:

Lots of patches in Ubuntu - look in their blah.debian.tar.gz file, in the debian/patches dir.

Thank you brebs, I think you pointed me in the right direction !, I went over the patches ubuntu applied, one that interested me was this bug, it seems like the latest OpenSSL 1.0.1c source already has this applied, so after recompiling OpenSSL with the flag '-DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50', it looks like I was able to download work units as normal. Although I haven't fully tested it out, I'm unsure if 'World Community Grid' may have fixed things on their end?, I would like to do some more testing but I've downloaded so many work units now it will take a few days to get through lol.

@Azriel, can you confirm you are still unable to download?, because if you can't the above fix could be the solution. Here's the (hopefully) fixed PKGBUILD, you will require the other files in addition here

Re: OpenSSL 1.0.0 issue

Great news !, ok I'll test it for a couple of days, and if all is still going well, I'll have to file a bug report since it effects two Archlinux packages.

Edit:I've rebooted, BOINC has finished some work units, and successfully downloaded more today, so I'll assume the workaround fixed things, and as Ubuntu configures and compiles with this flag by default, I went ahead and made a bug report here.

I also came across this recent forum post, it could be a possible third user effected.

Edit 2:According to the OpenSSL CVS website the change added to enable these flags, here, was added to 1.0.1a, it mentions that two options can be used, one is the workaround to specify cipher length (which we added above), if that fails there is choice of another flag 'OPENSSL_NO_TLS1_2_CLIENT', this is where it gets strange, Archlinux already includes this flag in the default PKGBUILD as: '-DOPENSSL_NO_TLS1_2_CLIENT', what this doe's is disable TLS 1.2 client support entirely. So by adding both flags I don't know what exactly is happening, my guess is, as things have started working, is that the cipher length option has overidden, and this must mean that WCG now require the use of TLS 1.2?.

Edit 3:

OK, it seems like Ubuntu apply both options as well:

- debian/patches/tls12_workarounds.patch: workaround large client hello
issue: Compile with -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 and
with -DOPENSSL_NO_TLS1_2_CLIENT.

Re: OpenSSL 1.0.0 issue

Re: OpenSSL 1.0.0 issue

Sebarres wrote:

Hi,I'm sorry but I don't understand how to install this custom openssl. Is it possible to put it on aur ? :xThanks

I don't think I have to know-how to maintain a package on AUR, so I won't. Furthermore, this is likely to get fixed upstream one day, and the issue seems very specific to BOINC, so I'm not sure an AUR package is that relevant anyway (though other might disagree).

Your best plan is probably to explain to us as clearly as possible what you are doing, and where are you stuck, and we will try to un-stuck the best we can.

The AUR actually works using PKGBUILD, a PKGBUILD file is a file telling the computer how to compile the files in the current directory to create a package. So it's basically the same thing as downloading a tarball from the AUR and extracting its content.

Anyway, once you have both the required files and the PKGBUILD, you just type makepkg into the console (while in the correct directory), and you should see the new package being created. At the end of the process, you'll end with the package in the directory that you'll install using the Pacman.

[EDIT] You may want to read on that if you want to know more about the package creation process.

Re: OpenSSL 1.0.0 issue

Re: OpenSSL 1.0.0 issue

ok, my problem solved - looks like my prolbems weren't connected with openssl (or maybe they were but not only, now i have this patched version installed;) ) - i had something messed in /etc/hosts - a long ago i placed ip's for secure.worldcommunitygrid.org and some other wcg sites there...

Re: OpenSSL 1.0.0 issue

No, but I still have my problem with the message "Tasks for AMD/ATI GPU are available, but your preferences are set to not accept them".Thus, I can't donwload WU since some weeks and I don't understand why.

Re: OpenSSL 1.0.0 issue

sknd wrote:

now the problem is back - transient HTTP error, with .pga files, .pdbqt files and some others... i have patched openssl installed, my etc/hosts is also ok;)

anyone has this problem?

Yes, I have exactly the same!I use Parabola GNU/Linux-libre (libre fork of archlinux) x86-64, OpenSSL 1.0.1.c and BOINS 7.0.28.I hadn't it before the end of November (even with default OpenSSL from repos, no custom PKGBUILDs), and now I have this bug only for .pdbqt and other projects' files; workunits by themselves are OK).

Re: OpenSSL 1.0.0 issue

Just a quick bump to say that after having to reinstall Arch, this issue still exists, and the fix proposed by Peaceseeker still works. I've edited the wiki to create a quick how-to fix, but if someone feels like creating an AUR package, it seems like this bug is here to stay.

Thanks @Benmachine too for the noob-proof way of downloading those files, not used to using git myself

Re: OpenSSL 1.0.0 issue

Uhh, I followed the troubleshooting page on BOINC(Thank you Azriel!), but I can't makepkg successfully... The file "Fix-IV-check-and-padding-removal.patch" fails md5sum check of makepkg.Here is the output of makepkg:

Re: OpenSSL 1.0.0 issue

k2_8191 wrote:

I think editing the md5sum value in PKGBUILD is not a good idea unless the file is edited explicitly...

Well, sometimes editing the md5sum is the good choice, but the only reason I can think of would be an orphaned AUR package whose PKGBUILD you had to edit to change the source, making the newly downloaded file different, hence having a different checksum. In this case, there shouldn't be any reason to change the checksum.

I've just followed the wiki myself, and the package compiled perfectly, so my guess is that the fault isn't on the howto, nor on the sources. So it's probably just checksum doing their jobs and warning you that your download got corrupted somehow. It happens, it's not a big deal, and that's exactly why we have checksums

So the fix should be quite simple: just repeat step 1 (git clone blablabla) to download all of the sources again, and just try again to makepkg.

Or you can just download the one file not passing the checksum directly from here.